What should a model audit of a processor look like in the event of an incident, and should a post-incident risk analysis be conducted and what should it contain?
ANSWER
In the event of a personal data breach involving data of the controller processed by the processor, it is recommended that an ad hoc audit be conducted, in the course of which the following steps should be taken:
- minimising the consequences of the incident,
- clarifying the circumstances of the incident,
- preserving evidence of the incident,
- assessing the personal data breach with a view to a possible report within 72 hours to the President of the Office, necessary in order to fulfil the obligation arising from Art. 33 GDPR,
- assessing the personal data breach with a view to a possible prompt notification of the individual whose data are affected by the breach, necessary in order to fulfil the obligation arising from Art. 34 GDPR.
The above is of course necessary from the controller's perspective in order to properly assess the breach and fulfil the GDPR requirements. There is, however, nothing to prevent a more far-reaching audit from being conducted at the processor's premises following a breach, one that relates not only to this single incident but to the overall context of the organisation's operations insofar as this may concern the entrustment relationship, including the processor's resources involved in processing data on behalf of the controller.
For example, we may request the processor to make available the results of the risk analysis for the resources involved in processing those data, which the processor should have carried out (and may, as a result of the breach, have repeated), in accordance with Art. 32 GDPR.
